ipsec VPN connection error: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

manios commented 3 months ago

Dear maintainers,

We try to connect in Ubuntu 22.04 to an IPsec L2TP VPN with a PSK which uses (how strange?? :smiley: ) deprecated and removed DH2 algorithms! In Windows 10, the VPN connection works and has the following configuration:

Windows setup

PPP Settings:

vpn-windows-greenshot-2024-04-01 16_34_10-VPN Properties

Security settings:

vpn-windows-greenshot-2024-04-01 16_34_38-Network Connections

Advanced Security settings:

vpn-windows-greenshot-2024-04-01 16_35_20-Network Connections

ike-scan

The output of running the script ike-scan.sh that you mention in the Known Issues (link) is the following:

$ sudo ./ike-scan.sh totally.insecurevpn.com | grep SA

    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)

Ubuntu 22.04 configuration

Ubuntu Version

bobos@ubuntu-VirtualBox:~$ sudo lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:    22.04
Codename:   jammy

bobos@ubuntu-VirtualBox:~$ sudo uname -a
Linux ubuntu-VirtualBox 6.5.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Mar 12 10:22:43 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Our configuration in Ubuntu Linux is the following based on the Windows configuration:

# /etc/NetworkManager/system-connections/VPNchaos.nmconnection 
[connection]
id=VPNchaos
uuid=0274aad9-acae-44a9-8f7e-c80f6ecb47ee
type=vpn
autoconnect=false

[vpn]
gateway=totally.insecurevpn.com
ipsec-enabled=yes
ipsec-esp=aes128-sha1,aes256-sha1
ipsec-ike=3des-sha1-modp1024
machine-auth-type=psk
mru=1400
mtu=1400
password-flags=0
refuse-chap=yes
refuse-eap=yes
refuse-mschap=yes
refuse-mschapv2=yes
user=bobos
user-auth-type=password
service-type=org.freedesktop.NetworkManager.l2tp

[vpn-secrets]
ipsec-psk=supersecretpsk
password=supersecretpassword

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

Error logs

However when we try to connect, we get the following errors : g_dbus_method_invocation_take_error: assertion 'error != NULL' failed . You can see the complete logs if we run sudo tail -f -n 10 /var/log/syslog

Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[584]: <info>  [1711995998.4079] vpn[0x5b72426ca0a0,0274aad9-acae-44a9-8f7e-c80f6ecb47ee,"VPN 1"]: starting l2tp
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[584]: <info>  [1711995998.4086] audit: op="connection-activate" uuid="0274aad9-acae-44a9-8f7e-c80f6ecb47ee" name="VPN 1" pid=2291 uid=1000 result="success"
Apr  1 21:26:38 ubuntu-VirtualBox nm-l2tp-service[2333]: Check port 1701
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2339]: WARNING: ipsec auto has been deprecated
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2340]: ERROR: ipsec whack: Pluto is not running (no "/run/pluto/pluto.ctl"): No such file or directory (errno 2)
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2343]: Redirecting to: systemctl restart ipsec.service
Apr  1 21:26:38 ubuntu-VirtualBox systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Apr  1 21:26:38 ubuntu-VirtualBox kernel: [  123.164161] Initializing XFRM netlink socket
Apr  1 21:26:38 ubuntu-VirtualBox systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2372]: WARNING: ipsec auto has been deprecated
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: listening for IKE messages
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: Kernel supports NIC esp-hw-offload
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: adding UDP interface enp0s3 10.0.2.15:500
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: adding UDP interface enp0s3 10.0.2.15:4500
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: adding UDP interface lo 127.0.0.1:500
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: adding UDP interface lo 127.0.0.1:4500
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: adding UDP interface lo [::1]:500
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: adding UDP interface lo [::1]:4500
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: loading secrets from "/etc/ipsec.secrets"
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2374]: loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2377]: WARNING: ipsec auto has been deprecated
Apr  1 21:26:38 ubuntu-VirtualBox NetworkManager[2377]: /usr/local/sbin/ipsec: unknown option "--config" (perhaps command name was omitted?)
Apr  1 21:26:38 ubuntu-VirtualBox nm-l2tp-service[2333]: Could not establish IPsec connection.
Apr  1 21:26:38 ubuntu-VirtualBox nm-l2tp-service[2333]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Apr  1 21:26:42 ubuntu-VirtualBox systemd[768]: Started Application launched by gnome-session-binary.

Build Libreswan and NetworkManager-l2tp from source

We have built Libreswan from source:

git clone https://github.com/libreswan/libreswan.git
cd libreswan
export USE_DH2=true
USE_DH2=true make programs
USE_DH2=true sudo make install

and also NetworkManager-l2tp using the --enable-libreswan-dh2 option (in commit 031e9e0):

# Clone
git clone https://github.com/nm-l2tp/NetworkManager-l2tp.git
cd NetworkManager-l2tp/

# configure
sudo ./autogen.sh
sudo ./configure   \
    --disable-static \
    --prefix=/usr \
    --sysconfdir=/etc \
    --libdir=/usr/lib/x86_64-linux-gnu  \
    --runstatedir=/run \
    --with-gtk4=no \
    --enable-libreswan-dh2

# then compile and install
sudo make
sudo make install

We are trying for more than 8 hours to find out why we cannot connect and we are quite sure that we do something completely wrong... Maybe can you spot any problem with our configuration?

Sorry for the long post, we hope that if we can give you as much as details as possible maybe you can spot something without losing much valuable time.

Thank you beforehand for your time and help,
Christos

dkosovic commented 3 months ago

I'm guessing you are using libreswan instead of strongswan (which still supports modp104/DH2) because you had it working with libreswan in the past?

From the unknown option "--config" error, looks like NetworkManager-l2tp isn't compatible with the new libreswan v5.0rc1 and the unreleased version in git. I need to investigate more.

I've rebuilt libreswam 3.32 from the original Ubuntu 22.04 source package, but with USE_DH2=true, I recommend trying to use it instead :

https://launchpad.net/~dkosovic/+archive/ubuntu/libreswan

The changes to the source package can be found here:

diff from 3.32-3ubuntu3 (in Ubuntu) to 3.32-4\~ubuntu22.04.1~ppa1.1 (701 bytes)

You'll note from the changes that USE_DH2=true and WERROR_CFLAGS is overridden, the latter because I was getting KU_DIGITAL_SIGNATURE and similar redefined warnings which became errors because of the default -Werror argument for WERROR_CFLAGS.

I would recommend deleting everything in the phase 1 & 2 algorithm text boxes as newer versions of this VPN plugin will offer a combination of algorithms that the macOS and Win11 L2TP/IPsec clients use.

I would also recommend that the Disable PFS checkbox is ticked.

dkosovic commented 3 months ago

There was a typo which I've fixed up, the URL for the modified libreswam 3.32 was supposed to be:

https://launchpad.net/~dkosovic/+archive/ubuntu/libreswan

manios commented 3 months ago

Hi @dkosovic!

Thank you for your quick response! The reason that I have used Libreswan was that the only advice that I was finding in the internet for modp1024 referred to Libreswan (go figure :yum: ). Your advice has helped a lot and I was able to connect by using your package. I also enabled PFS and I kept the Phase 1 and Phase 2 algorithms because otherwise the connection could not be established. This is my current configuration:

# /etc/NetworkManager/system-connections/VPNchaos.nmconnection 
[connection]
id=VPNchaos
uuid=0274aad9-acae-44a9-8f7e-c80f6ecb47ee
type=vpn
autoconnect=false
timestamp=1712089557

[vpn]
gateway=totally.insecurevpn.com
ipsec-enabled=yes
ipsec-esp=aes128-sha1,aes256-sha1
ipsec-ike=3des-sha1-modp1024
ipsec-pfs=no
machine-auth-type=psk
mru=1400
mtu=1400
password-flags=2
refuse-chap=yes
refuse-eap=yes
refuse-mschap=yes
refuse-mschapv2=yes
user=bobos
user-auth-type=password
service-type=org.freedesktop.NetworkManager.l2tp

[vpn-secrets]
ipsec-psk=supersecretpsk

[ipv4]
method=auto
never-default=true

[ipv6]
addr-gen-mode=stable-privacy
method=disabled

The strange thing that I am now facing is that I get this error xl2tpd[30633]: Maximum retries exceeded for tunnel 53807. Closing.. I have found that you had already helped another fellow in issue #189 who encountered the same error. I have followed your advice and I added the variable NM_L2TP_XL2TPD_MAX_RETRIES=20000 in /etc/environment as my NetworkManager is in version 1.36.6 and already has the fix of commit #2e5a163. I have restarted and retried but the connection drops after 1.5 minute with the same error:

Apr  3 21:44:39 ubuntu-VirtualBox NetworkManager[30633]: xl2tpd[30633]: Maximum retries exceeded for tunnel 53807.  Closing.
Apr  3 21:44:39 ubuntu-VirtualBox NetworkManager[30633]: xl2tpd[30633]: Terminating pppd: sending TERM signal to pid 30634
Apr  3 21:44:39 ubuntu-VirtualBox NetworkManager[30633]: xl2tpd[30633]: Connection 3483 closed to 192.164.172.140, port 1701 (Timeout)
Apr  3 21:44:39 ubuntu-VirtualBox pppd[30634]: Terminating on signal 15
Apr  3 21:44:39 ubuntu-VirtualBox pppd[30634]: Connect time 1.5 minutes.
Apr  3 21:44:39 ubuntu-VirtualBox pppd[30634]: Sent 1243161304 bytes, received 0 bytes.
Apr  3 21:44:39 ubuntu-VirtualBox NetworkManager[535]: <info>  [1712088159.0277] device (ppp0): state change: disconnected -> unmanaged (reason 'connection-assumed', sys-iface-state: 'external')
Apr  3 21:44:39 ubuntu-VirtualBox pppd[30634]: Overriding mtu 1500 to 1400
Apr  3 21:44:39 ubuntu-VirtualBox pppd[30634]: Overriding mru 1500 to mtu value 1400
Apr  3 21:44:39 ubuntu-VirtualBox pppd[30634]: Connection terminated.
Apr  3 21:44:39 ubuntu-VirtualBox NetworkManager[30633]: xl2tpd[30633]: death_handler: Fatal signal 15 received
Apr  3 21:44:39 ubuntu-VirtualBox gnome-shell[1011]: Removing a network device that was not added
Apr  3 21:44:39 ubuntu-VirtualBox NetworkManager[30723]: 002 "0274aad9-acae-44a9-8f7e-c80f6ecb47ee": terminating SAs using this connection
Apr  3 21:44:39 ubuntu-VirtualBox NetworkManager[30723]: 002 "0274aad9-acae-44a9-8f7e-c80f6ecb47ee" #2: deleting state (STATE_QUICK_I2) aged 92.541s and sending notification
Apr  3 21:44:39 ubuntu-VirtualBox NetworkManager[30723]: 005 "0274aad9-acae-44a9-8f7e-c80f6ecb47ee" #2: ESP traffic information: in=561B out=1076MB
Apr  3 21:44:39 ubuntu-VirtualBox pppd[30634]: Exit.
Apr  3 21:44:39 ubuntu-VirtualBox NetworkManager[30723]: 002 "0274aad9-acae-44a9-8f7e-c80f6ecb47ee" #1: deleting state (STATE_MAIN_I4) aged 92.744s and sending notification
Apr  3 21:44:39 ubuntu-VirtualBox nm-l2tp-service[30281]: ipsec shut down

I also disabled xl2tpd service as I read in Connecting to an old modp1024 L2TP Ipsec VPN on Ubuntu 21.04:

sudo systemctl stop xl2tpd.service
sudo systemctl disable xl2tpd.service
sudo systemctl unmask ipsec.service

Maybe do you have any other idea what I might be missing? Maybe should I give try to use katalix/go-l2tp instead of xl2tp?

Thank you beforehand for your time and help,
Christos

dkosovic commented 3 months ago

Going back to phase 1 & 2 algorithms, the supported phase 1 algorithms reported by the ike-scan.sh script in the original post were:

3des-sha1-modp1024
aes128-sha1-modp1024
aes256-sha1-modp1024
aes256-sha1-modp1536

As your VPN server supports modp1536, you shouldn't have needed DH2 support, i.e. modp1024.

For phase 2, Win 10 & 11 clients offer the following proposals (which is also the default now for this VPN plugin):

aes256-sha1,aes128-sha1,3des-sha1

PFS is part of the phase 2 proposal negotiations with the VPN server. Older VPN servers generally don't support PFS and fail if PFS is enabled. In your case you needed to disable PFS.

I can understand that the "Disable PFS" checkbox would need to be ticked, but odd that it didn't work with empty phase 1 & 2 algorithm boxes, although isn't without precedent for the phase 1 box as some older VPN servers can get overwhelmed by the number of proposals.

Regarding the dropped connection after 1.5 minutes, it's most likely a routing issue, see issue #132. After VPN connection has been established, try route del{gateway IP address}, its less likely to be the 1.5 minute dropped connection issue #140. I don't think settingNM_L2TP_XL2TPD_MAX_RETRIES would be necessary for routing issues.

manios commented 3 months ago

Hi @dkosovic !

The issue behind the disconnection was indeed #132 . The connection was adding an extra route. After connecting I deleted the route and the VPN connection worked as expected!

Thank you for your help and your valuable input!

Best regards, Christos

nm-l2tp / NetworkManager-l2tp